Defining and Assessing Risks Detected during the Audit
Risks can be identified during audit execution.
Example: within the framework of an audit on hardware purchase, a risk on requirement suitability may be identified, such as a bad technological choice.
We differentiate risks discovered during the audit from those previously defined in the audit scope and in the different activities. See
Specifying the Audit Scope.
Risks discovered during audit execution should be connected to the activity finding, or to the recommendation.
Displaying the list of risks
In the Risks page of audit properties, you can view risks related to:
• the audit
• the audit objects
Assessing Risks
To assess the objects (in their context):
1. Open the properties of the audit.
2. Select the risks Assessment page.
3. Select the risk(s) you want to assess.
4. Select the value(s) characterizing the risk(s).
• Impact: impact of the risk when it occurs
• Likelihood: probability that the risk will appear
• Control Level
Control level characterizes the efficiency level of control elements deployed (controls) to assess the risk.
5. Click Validate Multiple Assessment Table.
Assessment validation enables you to view results in the risk map. Validation can take a while, therefore the wizard offers to execute this process later if needed.
The following values are calculated:
• inherent risk
The inherent (or gross) risk indicates the risk to which the organization is exposed in the absence of measures taken to modify the occurrence likelihood or impact of this risk. This is the result of multiplying the impact value and the likelihood value before taking account of risk prevention or reduction measures.
• residual risk
The residual (or net) risk indicates the risk to which the organization remains exposed after management has processed the risk. This is the difference between the Inherent Risk and the Control Level.
Generating the risk heatmap
A report enables you to view the map of risks associated with an audit, depending on their assessment criteria (Impact, Likelihood, etc.).
To view the risk map associated with an audit:
In the properties of the audit, select the
Reporting page then
Internal Audit > Audit Risks Heatmaps.
The audit risk map appears.
The number of risks displayed depends on the number of contexts.
Risks must have first been assessed for you to get results in this risk map.
